How is it possible to get the list of servers which are assigned to a group or nested group?
Example:
Group A is assigned to the server A.Group B is assigned to server B.
User1 and user2 is a member of Group12. Then group12 is added as a member of Group A and Group B.
Now I want to get the list of servers user1 and user2 has access.
I am able to retrieve the groups each user is member of. But still I do not know which servers are added to Group12 for example.
Expected Outcome
Some command -GroupID Group12
Output --> ServerA and Server2
Some command -UserName user1
Output --> ServerA and ServerB
From what I could understand from your query, you want to retrieve the members of groups in AD.
You can use the PowerShell cmdlet Get-ADGroupMember to query the members of a group, as shown below:
# you need to have RSAT (Remote Server Administration Tools) module installed
# on the system where you're going to run below cmdlets in PowerShell
Import-Module ActiveDirectory
Get-ADGroupMember -Identity "GroupA" -Recursive # to get members of Group A
Get-ADGroupMember -Identity "GroupB" -Recursive # to get members of Group B
Get-ADGroupMember -Identity "Group12" -Recursive # to get members of Group 12
Related
How do I create a hidden AAD group (number of users should be listed as 0) in a demo tenant?
I created a hidden group via
New-UnifiedGroup -DisplayName "group-name" HiddenGroupMembershipEnabled
but I still see all the members in the group. What am I missing?
To create hidden Azure AD Group, you can make use of below command:
New-AzureADMSGroup -DisplayName "Group_Name" -groupTypes "Unified" -Visibility "HiddenMembership" -SecurityEnabled $False -MailEnabled $True -MailNickname "mail_name"
Make sure to have AzureADPreview module installed before running the above command.
If you created Azure AD group with "HiddenMembership", the valid users who can see that group members are:
Group Owner.
Group Members.
Users who have admin roles.
Other than the above, if anyone tried to fetch the group members, they won't get any list of group members (same as 0 users).
I tried to reproduce the same in my environment and got the below results:
I created one Azure AD group with "HiddenMembership" and added few members using below script:
Connect-AzureAD
New-AzureADMSGroup -DisplayName "HiddenMem_Group" -Description "Hidden Members Group" -groupTypes "Unified" -Visibility "HiddenMembership" -SecurityEnabled $False -MailEnabled $True -MailNickname "hide_mem"
Add-AzureADGroupMember -ObjectId "GroupID" -RefObjectId "User_ObjectID"
Response:
Please note that, the user who created group will be Group Owner of that group by default like below:
As Testdemo is Group Owner, he can get the list of group members using command like below:
Get-AzureADGroupMember -ObjectId <Group_ObjectID>
Response:
When a normal user with no admin roles and not a member of that group runs the same command, he won't get any response (same as 0 users) like below:
Get-AzureADGroupMember -ObjectId <Group_ObjectID>
Response:
Reference:
New-AzureADMSGroup (AzureAD) | Microsoft Docs
We want to add admin group as a owner to all other groups. When we tried to add via powershell command we got below error
'Group' is invalid for the 'owners' reference
It's not support to add a group as a owner to all other groups currently.
You could use Get-AzureADGroupMember to get a list of the group member and then foreach them to add all the members as owners of other groups.
An example:
$adgms = Get-AzureADGroupMember -ObjectId "{objectId of the admin group}" -All $true
foreach($adgm in $adgms){
Add-AzureADGroupOwner -ObjectId "{objectId of the target group}" -RefObjectId $adgm.ObjectId
}
So I have a SID of a FSP: S-1-5-21-2127521184-1604012920-1887927527-72713.
Translation worked in powershell but I would like to do the ldap query by myself, like here but have a little trouble with proper SID conversion.
Could you help me with query that give me a corresponding account name based on SID ?
You can bind directly to an object using the SID using LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>. Then get the username after that.
In PowerShell, it would look something like:
$account = [adsi]"LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
$username = $account.Properties["sAMAccountName"]
If the computer you run this from is on a different domain than the account, you may have to specify the domain:
$account = [adsi]"LDAP://domain.com/<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
If you have Java available you can query the ObjectSID directly.
We show an Example with code
I am able to use an ldapsearch like:
ldapsearch -h example.net -D "EXAMPLE\myID" -b "OU=Accounts,DC=EXAMPLE,DC=NET" -s sub -a search -z 1000 "(ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)" "objectClass"
And get results.
# extended LDIF
# LDAPv3
# base <OU=Accounts,DC=EXAMPLE,DC=NET> with scope subtree
# filter: (ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)
# requesting: objectClass samAccountName
#
# userid, sales, Accounts, EXAMPLE.NET
dn: CN=userid,OU=sales,OU=Accounts,DC=EXAMPLE,DC=NET
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: userid
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This search is done from a Linux machine and done by a user that is not represented by the ObjectSID.
I'm trying to get all users that had been disabled in my domain and put it into a SQL Table. I'm trying to use SSIS to do that. Now that I can grab the right output and put it into a CSV file using this code:
Search-ADAccount -AccountDisabled -UsersOnly |
Select Name |
Export-CSV -Path C:\Users\hou\Downloads\Test.csv
But since I'm going to run the package in different servers and I couldn't have a fixed location to store the file and load into SQL Table. So either I'm going to use a variable in the Execute Process Task (where I run the Powershell script) to store the CSV file, or use SSIS to store the output directly in SQL table.
But I don't know neither of those. How can I do that?
Location should be define in the script, i.e:
$Path = Get-Location
"$Path\Test.csv"
#Option 1 just a Name
$Path = Get-Location ; Get-ChildItem C:\temp | Select-Object Name | Export-CSV -Path "$Path\Test.csv"
## Option 2 Name, with other property
$Path = Get-Location ; Get-ChildItem C:\temp | Select-Object Name,mode | Export-CSV -Path "$Path\Test.csv"
For one liner script , use the ";" to separate the commands.
I would suggest loading the data into SQL using PowerShell. There is a free PowerShell module from Microsoft called "sqlserver" that allows PowerShell to talk directly to SQL. You may already have it installed.
## Check if installed:
Get-InstalledModule -Name SqlServer
## If installed you can Update (you may need to run as local admin):
Update-Module -Name SqlServer
## If not installed (only need admin if you want all users to have access to this module):
Install-Module SqlServer
Once the module is installed there is a cmdlet called "Write-SqlTableData" to bulk copy data into SQL. The assumption is (1) the table already exists in SQL. (2) All the columns in the PowerShell Select match the order and datatype as they exist in the SQL table. In this case, there would be a SQL table with a single [Name] column. (3) You are using your AD credentials to access SQL, if not you will have to add credentials to the cmdlet.
The actual PowerShell code, update the variables in the quotes:
## Input Variables
$SqlServerName = ""
$SqlDatabaseName = ""
$SqlTableSchemaName = ""
$SqlTableName = ""
## Insert into SQL
Search-ADAccount -AccountDisabled -UsersOnly | Select-Object Name | Write-SqlTableData -ServerInstance $SqlServerName -DatabaseName $SqlDatabaseName -SchemaName $SqlTableSchemaName -TableName $SqlTableName -Force
As a side note, if you plan on doing a lot of PowerShell/SQL work, you may want to also install the "WFTools" module as it also has many additional SQL cmdlets.
Hope this helps.
How can I save the results from a Powershell command to a MS SQL DB?
For example:
I run this at a Powershell prompt: get-psdrive and it returns some results in a column view.
How can I take each element of the result and log it into a separate DB row/column?
I recommend saving the results of your command to a variable. Such as:
$drives = Get-PSDrive
The variable can be indexed like this:
First Element:
$drives[0]
Last Element:
$drives[-1]
You can iterate through each element with foreach:
foreach ($drive in $drives) {
# current drive is $drive
}
Or the ForEach-Object cmdlet:
$drives | ForEach-Object {
# current drive is $_
}
Now that you have the data to populate your table with you are ready to connect to the database and perform the database record inserts.
You can make use of the Powershell SQL server cmdlets or you can connect using .NET objects. Depending on what version of SQL server you have will drive your choice on which to use. SQL Server 2008 has Powershell cmdlets, 2005 does not. There is a wealth of information about the SQL server 2008 Powershell integration here. For SQL Server 2005 you have some different options. This question answer here provides a list of Powershell options to use with SQL Server 2005.
More Info:
When Powershell displays object information it uses a type system to selectively determine what properties of the object to display on the screen. Not all of the object's are displayed. Powershell uses XML files to determine what properties to display which are stored in the Powershell directory:
dir $PSHOME/*format* | select Name
The objects returned from Get-PsDrive are of type System.Management.Automation.PSDriveInfo. The file PowerShellCore.format.ps1xml tells the formatting engine what properties to display in the Powershell window. It just might be that these are the exact properties you are looking for however many objects have additional properties that are not displayed. For example an object of type System.IO.DirectoryInfo will not have all it's properties displayed by default. You can view the rest of the objects properties using the Get-Member cmdlet, for example:
Get-Item $env:windir | Get-Member
This will show all of the object's methods and properties. You can also view all of the object's properties using the Select-Object cmdlet using a wildcard for the property parameter:
Get-Item $env:windir | Select-Object -Property *
To access an objects properties values use the following syntax:
$objectVariable.ObjectProperty
Now that you know how to view an objects properties and access their values you'll need to use this to construct an Insert SQL statement. Here is an example using the Invoke-SqlCmd cmdlet provided with SQL Server 2008.
Invoke-Sqlcmd -ServerInstance $env:COMPUTERNAME -Database Test -Query "Insert MyTable values ('a', 'b')"
Here's an example looping through objects returned from Get-PsDrive assuming you have a table called MyTable and it has at least two columns which accept textual data:
Get-PsDrive | ForEach-Object {
$providerName = $_.Name
$providerRoot = $_.Root
Invoke-Sqlcmd -ServerInstance $env:COMPUTERNAME -Database Test -Query "Insert MyTable values ('$providerName', '$providerRoot')"
}